Allow running the process as a non root user.

mendhak · mendhak · commit 58d461fe3ba8 · 2020-11-25T21:37:46.000Z
I've chowned the /app directory in the container to node user. This allows the process to access the private key. However! I've not set the USER to node in the Dockerfile because then the process would be unable to bind to port 80 internally (or anything below 1024). I didn't want to force it either and make it a breaking change, because many existing setups will be mapping 8080 externally to 80/443 internally, for example. The workaround is therefore on the user (sorry), they will need to set the environment variable to a higher number, or use the --sysctl net.ipv4.ip_unprivileged_port_start=0 flag Reference: moby/moby#8460 (comment) Issue mendhak#14
diff --git a/Dockerfile b/Dockerfile
@@ -10,4 +10,6 @@ RUN npm install --production
 
 RUN apk --no-cache add openssl && sh generate-cert.sh && rm -rf /var/cache/apk/*
 
+RUN chown -R node:node /app
+
 CMD ["node", "./index.js"]
diff --git a/README.md b/README.md
@@ -106,8 +106,15 @@ Will contain a `json` property in the response/output.
         }
     }
 
+## Run as a non-root or rootless user
 
+Set the `--user` to `node`, and change the internal ports to a high number. 
 
+    docker run --user node -e HTTP_PORT=8080 -e HTTPS_PORT=8443 -p 8080:8080 -p 8443:8443 --rm mendhak/http-https-echo
+
+Or use the sysctl flag, like so
+
+    docker run --user node --sysctl net.ipv4.ip_unprivileged_port_start=0 -p 8080:80 -p 8443:443 --rm mendhak/http-https-echo
 
 ## Output
 
diff --git a/tests.sh b/tests.sh
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+set -euo pipefail
+
 function message {
     echo ""
     echo "---------------------------------------------------------------"
@@ -34,13 +36,11 @@ pushd testarea
 message " Cleaning up from previous test run "
 docker ps -q --filter "name=http-echo-tests" | grep -q . && docker stop http-echo-tests
 
-message " Start container "
+message " Start container normally "
 docker run -d --rm --name http-echo-tests -p 8080:80 -p 8443:443 -t mendhak/http-https-echo
 sleep 5
 
 
-
-
 message " Make http(s) request, and test the path, method and header. "
 REQUEST=$(curl -s -k -X PUT -H "Arbitrary:Header" -d aaa=bbb https://localhost:8443/hello-world)
 if [ $(echo $REQUEST | jq -r '.path') == '/hello-world' ] && \
@@ -172,7 +172,34 @@ fi
 message " Stop containers "
 docker stop http-echo-tests 
 
+message " Check that container can run as a NON ROOT USER "
+docker run -d --name http-echo-tests --user node -e HTTP_PORT=8888 -e HTTPS_PORT=9999 -p 8080:8888 -p 8443:9999 --rm mendhak/http-https-echo
+
+WHOAMI=$(docker exec http-echo-tests whoami)
+
+if [ "$WHOAMI" == "node" ]
+then
+    passed "Running as non root user"
+else
+    failed "Running as root user"    
+    exit 1
+fi
+
+message " Make http(s) request, and test the path, method and header. "
+REQUEST=$(curl -s -k -X PUT -H "Arbitrary:Header" -d aaa=bbb https://localhost:8443/hello-world)
+if [ $(echo $REQUEST | jq -r '.path') == '/hello-world' ] && \
+   [ $(echo $REQUEST | jq -r '.method') == 'PUT' ] && \
+   [ $(echo $REQUEST | jq -r '.headers.arbitrary') == 'Header' ] 
+then
+    passed "HTTPS request passed."
+else
+    failed "HTTPS request failed."
+    echo $REQUEST | jq
+    exit 1
+fi
 
+message " Stop containers "
+docker stop http-echo-tests 
 
 popd
-rm -rf testarea
+rm -rf testarea

Original file line number	Diff line number	Diff line change
@@ -106,8 +106,15 @@ Will contain a `json` property in the response/output.
`106`	`106`	`}`
`107`	`107`	`}`
`108`	`108`
	`109`	`+## Run as a non-root or rootless user`
`109`	`110`
	`111`	+Set the `--user` to `node`, and change the internal ports to a high number.
`110`	`112`
	`113`	`+ docker run --user node -e HTTP_PORT=8080 -e HTTPS_PORT=8443 -p 8080:8080 -p 8443:8443 --rm mendhak/http-https-echo`
	`114`	`+`
	`115`	`+Or use the sysctl flag, like so`
	`116`	`+`
	`117`	`+ docker run --user node --sysctl net.ipv4.ip_unprivileged_port_start=0 -p 8080:80 -p 8443:443 --rm mendhak/http-https-echo`
`111`	`118`
`112`	`119`	`## Output`
`113`	`120`